3.1.13—Access Control - Derived
Derived Requirement
>Control Description
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
>Discussion
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern monitoring and controlling remote access?
- •What approval process exists for remote access privileges?
- •How often are remote access permissions reviewed?
- •What oversight ensures remote access is appropriately restricted?
- •Who is responsible for reviewing remote access logs?
Technical Implementation:
- •What technical controls monitor remote access sessions?
- •How do you restrict remote access to authorized users and devices?
- •What VPN, RDP, or remote access gateways are deployed?
- •How do you enforce MFA for remote access?
- •What logging and alerting covers remote access activities?
Evidence & Documentation:
- •Can you provide remote access logs showing monitoring?
- •What evidence demonstrates remote access is controlled and restricted?
- •Can you show remote access authorization lists?
- •What alerts or reports track unusual remote access patterns?
- •What audit findings verify remote access controls?
Ask AI
Configure your API key to use AI features.